/*     */ package com.zimbra.cs.account.accesscontrol;
/*     */ 
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.common.service.ServiceException.Argument;
/*     */ import com.zimbra.common.service.ServiceException.Argument.Type;
/*     */ import com.zimbra.common.service.ServiceException.InternalArgument;
/*     */ import com.zimbra.cs.account.Account;
/*     */ import com.zimbra.cs.account.Entry;
/*     */ import com.zimbra.cs.account.MailTarget;
/*     */ import java.util.Collections;
/*     */ import java.util.HashSet;
/*     */ import java.util.List;
/*     */ import java.util.Set;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public class HardRules
/*     */ {
/*     */   private static Set<String> ALWAYS_FORBIDDEN_ATTRS;
/*     */   
/*     */   static
/*     */   {
/*  37 */     Set<String> forbiddenAttr = new HashSet();
/*  38 */     forbiddenAttr.add("zimbraIsAdminAccount".toLowerCase());
/*     */     
/*  40 */     ALWAYS_FORBIDDEN_ATTRS = Collections.unmodifiableSet(forbiddenAttr);
/*     */   }
/*     */   
/*     */   public static enum HardRule {
/*  44 */     NOT_EFFECTIVE_DELEGATED_ADMIN_ACCOUNT, 
/*  45 */     DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN;
/*     */     
/*     */     private HardRule() {}
/*  48 */     public static HardRule ruleVolated(ServiceException e) { if ("service.PERM_DENIED".equals(e.getCode())) {
/*  49 */         List<ServiceException.Argument> args = e.getArgs();
/*  50 */         if (args != null) {
/*  51 */           for (ServiceException.Argument arg : args) {
/*  52 */             String name = arg.getName();
/*  53 */             if (name != null) {
/*     */               try {
/*  55 */                 return valueOf(name);
/*     */               }
/*     */               catch (IllegalArgumentException iae) {}
/*     */             }
/*     */           }
/*     */         }
/*     */       }
/*  62 */       return null;
/*     */     }
/*     */     
/*     */     private static ServiceException.Argument getExceptionArgument(HardRule rule) {
/*  66 */       return new ServiceException.InternalArgument(rule.name(), "VIOLATED", ServiceException.Argument.Type.STR);
/*     */     }
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public static Boolean checkHardRules(MailTarget authedTarget, boolean asAdmin, Entry target, Right right)
/*     */     throws ServiceException
/*     */   {
/*  84 */     if (((authedTarget instanceof Account)) && (AccessControlUtil.isGlobalAdmin((Account)authedTarget, asAdmin))) {
/*  85 */       return Boolean.TRUE;
/*     */     }
/*  87 */     boolean isAdminRight = (right == null) || (!right.isUserRight());
/*     */     
/*     */ 
/*  90 */     if (isAdminRight) {
/*  91 */       if ((authedTarget instanceof Account)) {
/*  92 */         Account authedAcct = (Account)authedTarget;
/*     */         
/*  94 */         if (!AccessControlUtil.isDelegatedAdmin(authedAcct, asAdmin)) {
/*  95 */           throw ServiceException.PERM_DENIED("not an eligible admin account", new ServiceException.Argument[] { HardRule.getExceptionArgument(HardRule.NOT_EFFECTIVE_DELEGATED_ADMIN_ACCOUNT) });
/*     */         }
/*     */         
/*     */ 
/*     */ 
/*     */ 
/* 101 */         if (((target instanceof Account)) && 
/* 102 */           (AccessControlUtil.isGlobalAdmin((Account)target, true))) {
/* 103 */           throw ServiceException.PERM_DENIED("delegated admin is not allowed to access a global admin's account", new ServiceException.Argument[] { HardRule.getExceptionArgument(HardRule.DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN) });
/*     */         }
/*     */         
/*     */       }
/*     */       else
/*     */       {
/* 109 */         throw ServiceException.PERM_DENIED("not an eligible admin account (not an account)", new ServiceException.Argument[] { HardRule.getExceptionArgument(HardRule.NOT_EFFECTIVE_DELEGATED_ADMIN_ACCOUNT) });
/*     */       }
/*     */     }
/*     */     
/*     */ 
/*     */ 
/*     */ 
/* 116 */     return null;
/*     */   }
/*     */   
/*     */   public static void checkForbiddenAttr(String attrName) throws ServiceException {
/* 120 */     if (isForbiddenAttr(attrName))
/* 121 */       throw ServiceException.PERM_DENIED("delegated admin is not allowed to modify " + attrName);
/*     */   }
/*     */   
/*     */   public static boolean isForbiddenAttr(String attrName) {
/* 125 */     return ALWAYS_FORBIDDEN_ATTRS.contains(attrName.toLowerCase());
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/account/accesscontrol/HardRules.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */